Blocking smtp auth attempts

[Splet]

We're seeing hundreds of these (example below) each hour, looks like botnets guessing the passwords. They have many zombies, since IPs rarely repeat and lfd is not blocking them.
What I notice is most of the IPs are on SpamHaus XBL or SBL, but exim is only blocking them if they try to send an email. Is there a way to check the IP against SpamHaus for these login attempts, too?

2023-03-19 08:01:09 login authenticator failed for (ADMIN) [103.187.4.x]: 535 Incorrect authentication data (set_id=uros@...)
2023-03-19 08:01:11 login authenticator failed for ([185.245.40.x]) [185.245.40.x]: 535 Incorrect authentication data (set_id=frank)
...

 

[Zhenyapan]

you can configure csf to block after failed attempts more hard.
by default it blocks after 5 or 10 attempts during 1h (depends on service) you can configure to block for example after 3 attempts during 8h.

 

[Active8]

You can also use this blocklist in CSF, just copy paste it in CSF :

PROJECTHONEYPOT|86400|0|https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
TOREXITNODES|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
MAXMINDGEOIP|86400|0|https://www.maxmind.com/en/high-risk-ip-sample-list
BRUTEFORCES|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php
SPAMHAUS|86400|0|https://www.spamhaus.org/drop/drop.lasso
CIARMY|86400|0|https://cinsscore.com/list/ci-badguys.txt
BLOCKLISTDE|86400|0|https://lists.blocklist.de/lists/all.txt
GREENSNOW|86400|0|https://blocklist.greensnow.co/greensnow.txt
FIREHOL|86400|0|https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset

to have an better filtering use ABUSEIPDB, for small use its free

 

[Splet]

Thanks, will try those lists, hope it doesn't overburden my ipset. I'll match IPs with those and see which matches most of them.

Botnet IPs don't repeat often, some even for days, so LFD tightening would block some legit users, too.

 

[magicspam]

For the record, you should NOT block AUTH based on RBL's that are designed for stopping spam. For instance, a dynamic IP, or a carrier grade NAT IP might be on an RBL, since they should not have an email server on that IP, and might have 'bots' on it, but that IP also has legitimate email clients trying to access their email. Think your local coffeeshop which might be on lots of DUL based RBL's. Now, there ARE some RBL's that are designed to stop AUTH attacks from obvious bad sourced (eg SpamRats RATS-AUTH or RATS-NULL) but auth sources is a multi-level approach. Generally you WANT connections from DUL networks to AUTH. But you don't expect random servers on Digital Ocean, AWS, Google Cloud, to authenticate against you email. You might like to look at country auth blocking, cloud blocking, etc.. (BTW, #blowingownhorn) MagicSpam comes with all these things built in. However, right now with Marai bots, and others running full bore, you can expect that over 75% of all all authentication attempts will be BOTS, from the same IPs you expect legitimate traffic (Bots on Windows, Bots on GPON Routers).

In the end, using proper 2FA is the only long term solution, and some traffic will always be 'noise' in your logs.

But make sure you have REALLY good detection systems, including Rate Limiters and other tools to detect any compromised attacks as well.
Customer will ALWAYS be vulnerable to 'phishing' or password re-use problems.

Oh, and final word.. watch out for AUTH attacks via VPN's and open Proxies. Hackers in foreign countries use that to get around country blocking for attacks not only for watching Netflix.